Executive Summary: Evernote is an online note-taking service that was started in 2008 to allow users to archive documents, images, notes and other date online. Recently, Evernote was hacked and sensitive information was stolen. User information was stolen including email addresses, usernames and passwords. Evernote responded by resetting all 50 million user’s passwords. Evernote used MD5 cryptographic algorithm to generate hashes that were stored in the database that was hacked. MD5 is considered a poor security method as brute force attacks allow billions of guesses per second. Evernote did salt the passwords, but with allowing so many password guesses per second it does not add much security value.
Analysis: Passwords do not offer much security to accounts. Typically passwords are very weak and easily stolen and cracked. To make passwords stronger it is best not to reuse passwords, make them long, and use upper and lower case, numbers, and signs. Random passwords are best; however, those are usually written down and stored somewhere, thereby potentially eliminating the security intended. It is best to make passwords as strong as possible so if they are stolen, they cannot be decrypted.
Individuals can make their passwords strong, but it remains on the businesses side to protect them from being stolen. To help protect user information from begin stolen, companies should only allow a few password attempts before it is locked and they should have users change passwords often. Once users create passwords business can do a lot to try and protect them. Businesses can hash passwords, salt them, break the passwords into two different sets and store them on two different servers and they can utilize a multi-factor authentication.
Hashing a password allows a password such as “password” to convert to a random stream of letters and numbers making it difficult to decrypt. A hash function will always produce the same hash for a word. There are many website users can go to and utilize this security method.
Salting is a technique that adds more security by adding a few random characters to the beginning of the password and then hashing it. If someone were to have a table to hashed passwords, it would make it more difficult to guess as the random characters make it a different hash.
Businesses can also split the passwords into two and then store them in different location. The two parts of the password never come together. This makes passwords harder to steal as someone would need to break into both servers. This is a technique known as threshold cryptography.
Lastly, businesses can employ multi-factor authentication. This adds another layer of security. If passwords are stolen, it does not allow hackers to gain access to user accounts. Multi-factor authentication is utilized by many businesses already. A common approach is to login with the password, once that has been authorized, a text with a unique code would be sent to the proper accounts holder’s cell phone to enter before the user obtains access to the desired account. Unless hackers have the password and user cell phone they would not gain access. There are many forms that multi-authentication can take this is just one example.
Analysis: Passwords do not offer much security to accounts. Typically passwords are very weak and easily stolen and cracked. To make passwords stronger it is best not to reuse passwords, make them long, and use upper and lower case, numbers, and signs. Random passwords are best; however, those are usually written down and stored somewhere, thereby potentially eliminating the security intended. It is best to make passwords as strong as possible so if they are stolen, they cannot be decrypted.
Individuals can make their passwords strong, but it remains on the businesses side to protect them from being stolen. To help protect user information from begin stolen, companies should only allow a few password attempts before it is locked and they should have users change passwords often. Once users create passwords business can do a lot to try and protect them. Businesses can hash passwords, salt them, break the passwords into two different sets and store them on two different servers and they can utilize a multi-factor authentication.
Hashing a password allows a password such as “password” to convert to a random stream of letters and numbers making it difficult to decrypt. A hash function will always produce the same hash for a word. There are many website users can go to and utilize this security method.
Salting is a technique that adds more security by adding a few random characters to the beginning of the password and then hashing it. If someone were to have a table to hashed passwords, it would make it more difficult to guess as the random characters make it a different hash.
Businesses can also split the passwords into two and then store them in different location. The two parts of the password never come together. This makes passwords harder to steal as someone would need to break into both servers. This is a technique known as threshold cryptography.
Lastly, businesses can employ multi-factor authentication. This adds another layer of security. If passwords are stolen, it does not allow hackers to gain access to user accounts. Multi-factor authentication is utilized by many businesses already. A common approach is to login with the password, once that has been authorized, a text with a unique code would be sent to the proper accounts holder’s cell phone to enter before the user obtains access to the desired account. Unless hackers have the password and user cell phone they would not gain access. There are many forms that multi-authentication can take this is just one example.